Hi Amos,
thanks for your response.
On 04/20/2012 04:22 PM, Amos Jeffries wrote:
>> I found the following solution, but I'm not suire if that's a good way
>> to go.
>> http://www.mikealeonetti.com/wiki/index.php/Squid_LDAP_transparent_proxy_authentication_script
>>
>
> Not relevant. That is for session-based authorization on intercepted traffic.
> It is not authentication despite the authors use of the term.
> Basic auth protocol with its clear-text credentials is more secure.
Commercial solutions seem to offer similar solutions with a web-based form.
http://demo04.astaro.com/help/en_US/Content/ASG/websec/HTTPs_Profiles-Proxy_Profiles.html
Isn't there a way to build something like that with squid?
>> What can you recommend?
>
> What does the backend you are using LDAP protocol to access capable of?
We are using OpenLDAP directly, there is no other backend.
> Kerberos is best you can get in the way of secure authentication these days.
> Despite the limits it imposes on HTTP performance.
That would mean clients would have to be configured for Kerberos usage
correctly. Firefox for example would then authenticate via GSS-API Negotiation
Mechanism (SPNEGO).
I would love to see a solution that is more flexible without the need to
integrate clients with Kerberos.
> Alternatively you can try using a TLS connection to secure the transport
> between the web clients and Squid.
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
I think that would be the best solution for us. Are there other browsers that
support TLS secured connections too?
Thank you,
Christoph
Received on Wed Apr 25 2012 - 09:30:05 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 25 2012 - 12:00:03 MDT